Akamai Diversity

The Akamai Blog

Analyzing a Malicious Botnet Attack Campaign Through the Security Big Data Prism

Two of the most prominent evolutions in the web application attacks landscape are scale and volume. Nowadays, attackers use tremendous amounts of computing resources such as those provided by cloud computing and botnets, in order to mount distributed large-scale attack campaigns over the Internet while keeping their identity hidden. From a security defense point of view, such attacks are a nightmare - they are much harder to detect and mitigate, as their origins are scattered and change rapidly. Current attempts to analyze a limited set of the malicious traffic usually results in incomplete understanding of the campaign, its nature and scale.

In this article we will show how the analysis of large-scale, global multi-site traffic may reveal interesting trends and malicious behavior patterns, and as a result can help improve protections against the next round of attacks.

Prior to initiating such distributed massive scale attacks, attackers try to compile a long list of vulnerable targets. In most cases they will target exploits in commonly used web application platform such as Joomla, WordPress or Drupal.

In a recent research that was conducted by Akamai's threat research team, using Akamai's security big data platform (Cloud Security Intelligence), the team came across a malicious campaign which focused on web applications with outdated modules of Joomla - one of the most commonly deployed content management systems. In this specific campaign, the attackers were trying to inject backdoors to the vulnerable web applications.

Deeper analysis into the attack campaign's traffic revealed that the attackers were trying to exploit Joomla's content editor, which allowed web users to upload files. This capability made Joomla susceptible to malicious file upload, and in turn to remote code execution. What the deep "single-event" analysis of the exploit did not reveal was the sheer volume and distribution of the attack. When the threat research team decided to zoom out and started looking for similar attack patterns across Akamai's customer base - they uncovered an entire botnet, exclusively "working" on attacks of this kind, slowly mining the internet for more and more vulnerable applications. Here are some of the key findings, after analyzing one month of security events, using Akamai's security big data platform:

Increase in Malicious Transactions Over Time

Looking at 43,000 malicious HTTP transactions over the time period of one month, we saw a constant increase in the amount of malicious traffic: 

Number of Attacks per day Or Katz.png

Botnet Distribution by Country

Looking at distribution by country of botnet machines - United States based bots were the most prominent:

Or Katz Blog Image 2.png

Botnet Distribution by Continent

Looking at the distribution by continent of botnet machines - Europe was the top continent from which bots were used:
Or Katz Blog Image 3.png

Increase in Number of Targets Per Day

Over the time period of one month 2,008 different web application were targeted. When looking at the chart, there is a clear trend of increase in the amount of web applications being targeted each day: 
Or Katz Blog Image 4.png

Analysis of Bot Machines 

When looking at the malicious bot machines that were being used to send attacks we noticed that most of these machines were actually internet-facing web applications - it was also obvious that attackers owned these web applications. 

Or Katz Blog Image 5.png

Further analysis of the botnet machines running web servers, showed that the prevalent server software was Apache. 

Or Katz Blog Image 6.png

Further Evidence on the Attacker's Identity 

While analyzing the botnet machines that participated in the attack, we found out that some of the machines were completely compromised and were installed with backdoor and remote control software. Other machines were also defaced and left with a hacktivist-type messages:

Or Katz Blog Image 7.png
The following image shows a backdoor on one of the compromised web servers giving attackers full control over the machine: 

Or Katz Blog Image 8.png

  • When looking at the behavior of web attack botnets over time we can see a clear trend of increase in the number of attacked application per day and HTTP transactions per day. These botnets are not static in size, and tend to grow over time, as hackers add more and more machines to the malicious network
  • Most of the bot machines in this attack came from the US and Europe - making geographic-based protections ineffective While geographic-based protections are futile, the fact that the majority of malicious bots were Internet facing web servers means that their IP address is static. This in turn, makes it easier to block them specifically
  • The ability to identify globally distributed malicious botnets based on behavioral analysis of multi-site security data can become a game changer in the battle for web application security
  • Correlating cross-domain attack information can help in the prediction of the next targets and therefore reduce risk to other applications that are still not under attack
  • Akamai's threat research team sees an increase in botnet-based attacks, which makes use of application-layer vulnerabilities as their primary weapon (as opposed to DDoS botnets) 

This post was written by Or Katz, Principal Security Researcher & Ory Segal, Principal Product Architect